Cyber Incident Victim: Jones Lang LaSalle

On or around May 28, 2023, the Clop ransomware gang exploited a previously unknown security vulnerability in Progress Software’s MOVEit file-transfer tool, initiating a mass data raid targeting corporate customers of the software. This incident, which became known as the MOVEit mass-hack, claimed hundreds of victims, including real estate giant Jones Lang LaSalle (JLL). The Clop gang claimed responsibility for the attacks and began listing victim organizations on its dark web leak site. JLL was notified by MOVEit of the security vulnerability in their software. The organization’s immediate investigation subsequently detected unauthorized access to a limited number of files. The malicious activity was contained, and JLL patched its systems per the vendor-provided instructions.

The data breach at JLL affected the organization's entire workforce. A source with knowledge of the incident reported that JLL informed its staff by email that all employee data had been compromised. This notification clarified that Social Security numbers were not among the data types accessed by the hackers. The breach impacted all of JLL’s 43,000 employees. The company did not dispute these claims when contacted. JLL’s priority was to communicate directly with those impacted as well as all relevant authorities, which the company stated it had done. A spokesperson confirmed the organization took these actions following the discovery of the incident.

JLL was one of numerous organizations affected by the widespread exploitation of the MOVEit vulnerability. Other victims included banks, hotels, hospitals, and universities. The international hotel chain Radisson Hotels Americas was also listed on Clop’s dark web leak site. A spokesperson for Choice Hotels, which had acquired Radisson, confirmed that a limited number of guest records were accessed by the hackers but declined to specify the number of affected guests. U.S.-based 1st Source Bank, among the first victims listed by Clop, confirmed in a regulatory filing that hackers had accessed sensitive client data of both commercial and individual clients, including personally identifiable information. The bank notified its commercial clients and began the process of identifying and directly notifying impacted individual clients.

The healthcare sector was also impacted. UofL Health, an academic health system based in Kentucky, confirmed it had been targeted after appearing on Clop’s leak site. The organization stated that a small number of its medical practices used the MOVEit software to transfer files to third-party vendors. Upon learning of the event, UofL Health immediately took action and engaged a forensic IT agency to determine the scope of the matter. The organization stated that the security of normal operations at its hospitals, medical centers, and physician offices was not jeopardized, but it declined to confirm whether any data was actually accessed.

Dutch navigation giant TomTom was another organization listed by Clop. The company confirmed it was affected by a data breach that occurred on its vendor’s platform, MOVEit, the previous month. TomTom stated it had taken all necessary safety and security measures to protect the data and had informed the relevant authorities. It was not yet known what specific data, if any, was stolen from TomTom by the Clop gang. Several other prominent victims came forward, including German investment bank Deutsche Bank, the University of Colorado, the University of Illinois, diagnostics company Realm IDX, and New York-based biopharmaceutical firm Bristol Myers Squibb. Tens of other organizations were listed on the dark web leak site but had not yet publicly confirmed their status or the scope of their breaches.

According to threat analysts, the scale of the MOVEit mass-hack was substantial. Latest figures indicated that the hackers had claimed almost 270 victim organizations, impacting more than 17 million individuals. The incident represented a significant supply-chain attack, leveraging a single vulnerability in a widely used file-transfer tool to compromise data across a diverse range of industries and sectors globally. The response from affected organizations largely followed a similar pattern: upon notification of the vulnerability, investigations were launched, unauthorized access was detected, systems were patched using the vendor's instructions, and relevant authorities and impacted individuals were notified. The long-term consequences and full scope of data exfiltrated from many victims, including JLL, were not fully detailed in immediate public statements.